SAP zero-day vulnerability under widespread active exploitation – CyberScoop
Threat hunters and security researchers have observed widespread exploitation of a zero-day vulnerability affecting SAP NetWeaver systems. The unrestricted file upload vulnerability — CVE-2025-31324 — has a base score of 10 on the CVSS scale and allows attackers to upload files directly to the system without authorization.
The software defect, which affects the SAP Visual Composer component for SAP NetWeaver, was discovered and published by ReliaQuest on Tuesday. SAP issued an emergency patch for the vulnerability on Thursday, but the enterprise company’s security advisory is only available to SAP customers with login credentials. SAP did not immediately respond to a request for comment.
“This isn’t a theoretical threat — it’s happening right now,” watchTowr CEO Benjamin Harris said in an email.
“watchTowr is seeing active exploitation by threat actors, who are using this vulnerability to drop web shell backdoors onto exposed systems and gain further access. This active in-the-wild exploitation and widespread impact makes it incredibly likely that we’ll soon see prolific exploitation by multiple parties. If you thought you had time, you don’t.”
Researchers don’t know how many organizations have been affected by active exploitation of the vulnerability to date, but watchTowr confirmed it has observed widespread impact across critical industries. “Attempts and probes definitely spiked today,” Harris said.
It’s unclear how many SAP customers are already compromised, but SAP’s presence in government and enterprise systems is vast. The company has more than 400,000 customers globally.
“SAP solutions are often used by government agencies and enterprises, making them high-value targets for attackers,” ReliaQuest researchers said in a blog post.
After querying internet server search engines Shodan and Censys, Onapsis estimates about 10,000 SAP instances are potentially vulnerable.
“Doing further analysis of SAP Netweaver Application Servers Java, we could estimate that between 50-70% of these types of systems that are internet-facing indeed have the component available. This estimation was done by checking the standard URL of the Visual Composer in the target systems,” Onapsis CTO JP Perez-Etchegoyen said in an email.
SAP Visual Composer is a modeling tool for SAP NetWeaver, a critical decades-old platform that supports various SAP applications and provides integrations with various sources.
“SAP Visual Composer is not installed by default, but is broadly enabled because it was a core component used by business process specialists to develop business application components without coding,” Perez-Etchegoyen said in a Friday blog post.
The critical software defect allows unauthenticated attackers to abuse built-in functionality to upload files to SAP NetWeaver instances and achieve full remote code execution, resulting in total system compromise, according to Harris.
“We believe the majority of exploitation occurred prior to disclosure, and believe it’s still the same gang exploiting vulnerable systems right now,” Harris said.
Researchers haven’t attributed the attacks to a specific threat group, but watchTowr has high confidence an initial access broker is behind the attacks, deploying backdoors that can or already have been sold to ransomware groups.
“The fatal flaw in their plan though, and ultimately the challenge they may now face, is that the deployed backdoors did not restrict who could utilize the backdoor,” Harris said. “Now that this information is public, ransomware gangs will likely discover the deployed backdoors by themselves and bypass the need for said initial access broker.”
Researchers and incident responders are investigating multiple customer incidents and encourage SAP NetWeaver customers to patch their systems immediately.
“This is as bad as it can get,” Perez-Etchegoyen said. “We are talking about a CVSS 10 vulnerability, remotely exploitable through HTTP, unauthenticated and allowing for full system compromise. Not only that, but there are threat actors exploiting it in the wild.”
The post SAP zero-day vulnerability under widespread active exploitation appeared first on CyberScoop.
–
Read More – CyberScoop